reddit.com via Reddit

Claude Code logs all sessions to disk silently

anthropic coding tools ai-tools privacy

Key insights

  • Claude Code stores complete JSONL session logs locally at ~/.claude/projects/, accumulating indefinitely from first use with no documented opt-out.
  • One user's logs reached 57MB across 1,026 sessions spanning January to May 2026, including all tool calls and file paths touched.
  • Anthropic has published no documentation on this logging behavior, leaving developers unaware of the data retention occurring on their own machines.

Why this matters

Developers using Claude Code on proprietary codebases now have an undisclosed, permanent local record of every file path and tool interaction, which creates unexamined data-handling obligations for teams with security or compliance requirements. The absence of Anthropic documentation means enterprise buyers evaluating Claude Code had no basis to include this behavior in their security reviews, and security teams at those organizations may need to retroactively audit what has accumulated. As AI coding assistants compete for enterprise adoption, undisclosed local telemetry is the kind of discovery that triggers procurement policy reviews and gives compliance-conscious competitors a concrete differentiator to exploit.

Summary

Claude Code has been quietly writing every developer session to append-only JSONL files on local disk since its initial release, capturing tool calls, file paths, full conversation turns, and model responses in perpetuity with no documented disclosure from Anthropic. One developer surfaced the behavior by finding 57MB of logs across 1,026 sessions dating back to January 2026, stored under ~/.claude/projects/. The logs include granular records of every file the tool touched, making them a detailed operational history of a developer's entire Claude Code usage. Essentially: Anthropic (Claude Code) has been running silent, permanent local telemetry that developers never agreed to because they were never told it existed. - Logs are append-only JSONL, meaning they accumulate indefinitely with no built-in expiry or size cap. - Every tool call is recorded, so the files reflect not just conversation content but precise filesystem activity across projects. - Anthropic has not published documentation on this logging behavior, its intended purpose, or how to disable or purge it. The gap between what developer tools log and what they disclose is becoming a recurring trust problem as AI coding assistants embed deeper into production workflows.

Potential risks and opportunities

Risks

  • Developers working on client code under NDA may have inadvertently created permanent local records of file paths and tool interactions that violate confidentiality obligations, exposing them or their employers to breach claims.
  • Security teams at companies that passed Claude Code through procurement without discovering this behavior may face internal audit findings in the next 30-60 days as the Reddit disclosure circulates through infosec communities.
  • If the JSONL logs are synced to cloud backup services (iCloud, Google Drive, Dropbox) by default OS behavior, sensitive file path and session data could be stored off-device without the developer's awareness, widening the exposure surface.

Opportunities

  • Developer security tools (GitGuardian, Cycode, Socket) can position log-scanning or secrets-detection coverage for ~/.claude/projects/ as an immediate, concrete add-on for teams already using their platforms.
  • Competing AI coding assistants (Cursor, Codeium, Continue) with explicit, documented local data policies gain a clear enterprise sales argument as procurement teams begin adding logging-transparency requirements to vendor questionnaires.
  • Anthropic has an opening to ship a well-designed session log management interface (rotation, purge, opt-out) and publish a transparency doc that turns this discovery into a trust-building moment rather than a lasting liability.

What we don't know yet

  • Whether Anthropic's terms of service or privacy documentation cover locally-written session logs, and whether any of that data is also transmitted to Anthropic servers.
  • Whether Claude Code exposes a supported configuration flag or CLI option to disable or rotate local session logs, and if not, whether Anthropic plans to ship one.
  • Whether enterprise Claude Code deployments (via API or business accounts) share the same logging behavior, and if so, whether customer data agreements account for it.

Originally reported by reddit.com

Read the original article →

Original headline: r/ClaudeAI: Claude Code Has Been Writing Every Session to Disk Since Day One — Complete JSONL Logs Including All Tool Calls and File Touches Going Back to First Use